RE: VPN endpoints

["Smith, Aaron" <SmithA () byui edu>]

I think it really depends on the purpose of the VPN.  I implemented a
VPN solution that bypassed the firewall completely.  Why?  Because it is
used for administrative network access, ie. in case the firewall was out
of whack.

For client access, my preference is to protect the VPN's external
interface by putting it in the DMZ.  Then put the internal interface
inside.  That way you can filter packets where they should be
filtered--at the firewall.

@@ron Smith
"Let smiths perform the work of smiths."

-----Original Message-----
From: firewall-wizards-admin () honor icsalabs com
[mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of
hermit921
Sent: Tuesday, August 24, 2004 11:37 AM
To: firewall-wizards () honor icsalabs com
Subject: [fw-wiz] VPN endpoints

We are planning to put a VPN endpoint at our site for remote access.  We

know nothing about the remote client computers, we just provide an 
authentication mechanism for the users.  The question concerns where we
put 
the VPN endpoint on our network.

I figure it this way: 2 VPN device interfaces, either of which can go 
outside the firewall, on a DMZ, or inside the firewall.  That gives us 9

possible arrangements, some of which are ridiculous, but fun to 
consider.  We came down to two configurations.

One approach is putting the internal interface on a DMZ.  The other 
approach is to have the VPN bypass the firewall entirely.  I am looking
for 
advice on which approach is better, and reasons why.

hermit921

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards